I don't necessarily agree with the idea of private companies monitoring the quality of your credit worthiness for profit. However, it's even worse when they expose almost half the population's SSN, Name, and other info because of poor website security.

On Thursday, Equifax offered to provide free credit monitoring for people affected by the latest breach.

So how does one know if they're among the affected?

You are probably affected if you: #1 live in America. #2 have a credit history of some sort.

Take 143 million, add 75 million children and 20 million unbanked and throw in a few million who basically let their spouse do all the financial stuff and you are getting pretty close to the total population of the USA.

*sighs* And repercussions for this against the company will be...most likely nonexistent. Because we live in America, where companies get slaps on the hand and contempt of court charges indefinite incarceration.

Is there a corporate "death penalty"? (I'm not saying they should be killed, but that they should no longer be allowed to be in this business.)

Because this is such a big failure that they can no longer be trusted anywhere near anyone's personal information. They should be made to go away. Any lender who shares our personal information with this corporation in the future should be 100% liable for any future breach that may occur, now that they've shown they lack the basic diligence to protect the information they're entrusted with.

Why the fuck was all this information online to begin with? Identifier + score is all that's needed actively online to perform their business function.

It probably isn't a good idea to blindly click on a link posted anywhere on any forums unless you specifically know the person posting the link (and even then it can be iffy).

To be clear, I am NOT accusing thekaj of posting a malicious link, but it seems like - especially on a topic that refers to security - it would be a good idea not to follow a link that you don't really know.

It probably isn't a good idea to blindly click on a link posted anywhere on any forums unless you specifically know the person posting the link (and even then it can be iffy).

To be clear, I am NOT accusing thekaj of posting a malicious link, but it seems like - especially on a topic that refers to security - it would be a good idea not to follow a link that you don't really know.

It probably isn't a good idea to blindly click on a link posted anywhere on any forums unless you specifically know the person posting the link (and even then it can be iffy).

To be clear, I am NOT accusing thekaj of posting a malicious link, but it seems like - especially on a topic that refers to security - it would be a good idea not to follow a link that you don't really know.

It's the page that the story links to. Or are you saying ars is untrustworthy in and of itself?

So what does this mean for my credit freeze? One of the most secure ways to prevent people from stealing your identity is to put a credit freeze or lock in place with the major credit bureaus. If a major credit bureau has been breached, does that mean someone could potentially unlock my credit, at least with this bureau?Nothing is secure.

It probably isn't a good idea to blindly click on a link posted anywhere on any forums unless you specifically know the person posting the link (and even then it can be iffy).

To be clear, I am NOT accusing thekaj of posting a malicious link, but it seems like - especially on a topic that refers to security - it would be a good idea not to follow a link that you don't really know.

It's the page that the story links to. Or are you saying ars is untrustworthy in and of itself?

Any company that gathers personal information that would enable identity theft should be subject to heavy fines as well as paying customers for the time and trouble it will take to replace their cards if it suffers a preventable hack. These hacks will continue until neglecting security costs more than implementing it.

I believe so. I entered my data, and got the same response. I entered my wife's data, and surprisingly it said that she was not impacted. I entered my daughters info (aged 10 and 12), and the response indicates that they were affected to (even though I can't imagine their data was ever given to equifax).

Hey we got hacked, here's a totally phishy non-Equifax domain signed with a CloudFlare DV SSL cert with an expired CRL we want you to enter sensitive info into. And they wonder why phishing works so well...

Once upon a time, I worked at Equifax. They would host periodic town halls with the CEO, and one of these town halls was shortly after a major Experian breach through a third-party vendor.

I asked if we had adequate vetting of our supplier/third-party/end-user pipeline, and he started off the response by saying: "Don't gloat about it. Data security is one of the things that keeps me up at night, and it's just as likely it could have hit us."

The rest of the response was very much CEO-speak for "holy shit we didn't realize this attack vector existed and now we're trying to cover ourselves." But, it does strike me as plausible that they do put some measure of emphasis on security, though apparently not enough.

I still think free credit monitoring as penance is wholly inadequate, though, and wouldn't mind some enforcement with teeth.

So what does this mean for my credit freeze? One of the most secure ways to prevent people from stealing your identity is to put a credit freeze or lock in place with the major credit bureaus. If a major credit bureau has been breached, does that mean someone could potentially unlock my credit, at least with this bureau?Nothing is secure.

That's an excellent question and one I've not seen answered. If the link posted elsewhere says you're impacted, I'd suggest changing the unlock code or passphrase. Couldn't hurt to do it on general principle, either, I suppose. (I forget exactly how Equifax does theirs. My info supposedly wasn't impacted.)

One year of protection doesn't seem enough. If someone has my social security number, birth date, address, etc., I am exposed to data theft indefinitely.

We need to have something better than a social security number for "ID".

The hackers, or the people they sell to, are likely smart enough to wait a year and a day before using the bulk of the information. Any means of verifying identity is only as good as the means used to secure it.

Back in 2005 I wrote a "modest proposal" about how we could solve a lot of problems with inappropriate SSN use if a group of hackers were to warn businesses and give them time to clean up their acts, then release a massive quantity of SSNs. Looks like Equifax have gone ahead with that, minus the "warning businesses" part. So ultimately, this might be a good thing. It'll just suck in the short term as companies with hopelessly inept security procedures are exploited by criminals.

(I once had someone in LA run up $6K of cable bills in my name, and I've never even been to LA. So yes, I know how much it sucks.)

It probably isn't a good idea to blindly click on a link posted anywhere on any forums unless you specifically know the person posting the link (and even then it can be iffy).

To be clear, I am NOT accusing thekaj of posting a malicious link, but it seems like - especially on a topic that refers to security - it would be a good idea not to follow a link that you don't really know.

I read it. I think it is stupid of Equifax to train people that it is ok to post their info to a custom URL that is a variation of the Equifax domain that *anybody could register* rather than to a sub domain of Equifaxes main domain, which only Equifax can use.